Connecting to one of my machiens seemed slow, so I did a quick top Sitting at the top of the list was a process called lscan-worm. That made me nervous though it boggled my mind that anyone running a worm would actually CALL it that..
A google search produced no hits, but a google groups search found me this thread: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=3EB0672F.7080702%40SPAMMERS.hotmail.com&rnum=1&prev=/groups%3Fq%3D%2522lscan-worm%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26selm%3D3EB0672F.7080702%2540SPAMMERS.hotmail.com%26rnum%3D1 Dated Apr30th Code for the program lscan here: http://www.dsinet.org/tools/network-scanners/lscan.c locate worm found /usr/lib/lscan-worm and /usr/lib/samba1-worm I tried just killing lscan, and while it died, it respawned moments later. I moved /usr/lib/lscan-worm and /usr/lib/samba1-worm to different names, killed the process again and it seems to have stayed dead. chkrootkit does not warn of anything except 2 processes hidden from ls in /proc but that is so often a false positive I don't know how much credit to give it. I was running samba, but it is now purged (probably should have waited -oh well) The system is runing Sarge/Debian on a'86, with a couple unofficial sources - merillat mostly. I'm running someones totally unofficial MozillaFirebird.deb So, has anyone seen this before or have any suggestions besides nuke and re-install? (probably will but would like to do a bit of post-mortem first and see if it is necessary) Update: Looks like I was hacked by someone who used the username arpa he/she/it stashed their crap in /tmp and was downloading porn and some other exploit software there. Not sure where they first got in yet though. So I guess this is a warning that SOMETHING in sarge is insecure. If I find out anymore I will post more. My apologies to those who get this message twice in the Chicago area :( -- David Ehle Computing Systems Manager CAPP CSRRI rm 077 LS Bld. IIT Main Campus Chicago IL 60614 [EMAIL PROTECTED] 312-567-3751
